VERA: Variational Inference Framework for Jailbreaking Large Language Models

TL;DR

VERA reframes black-box jailbreaking as posterior inference over adversarial prompts, training a compact attacker LLM via LoRA to learn a distribution $q_{ heta}(x)$ over prompts. By using a judge-based surrogate for $P_{LM}(y^*|x)$ and optimizing the ELBO with a REINFORCE gradient, VERA produces diverse, fluent jailbreak prompts that require no per-prompt optimization at inference. Empirical results on HarmBench show state-of-the-art ASR across multiple open- and closed-source LLMs, with strong transferability and notable robustness to defenses. The work demonstrates the value of a distributional perspective for red-teaming and highlights implications for designing more robust safety defenses against generalized adversarial prompting.

Abstract

The rise of API-only access to state-of-the-art LLMs highlights the need for effective black-box jailbreak methods to identify model vulnerabilities in real-world settings. Without a principled objective for gradient-based optimization, most existing approaches rely on genetic algorithms, which are limited by their initialization and dependence on manually curated prompt pools. Furthermore, these methods require individual optimization for each prompt, failing to provide a comprehensive characterization of model vulnerabilities. To address this gap, we introduce VERA: Variational infErence fRamework for jAilbreaking. VERA casts black-box jailbreak prompting as a variational inference problem, training a small attacker LLM to approximate the target LLM's posterior over adversarial prompts. Once trained, the attacker can generate diverse, fluent jailbreak prompts for a target query without re-optimization. Experimental results show that VERA achieves strong performance across a range of target LLMs, highlighting the value of probabilistic inference for adversarial prompt generation.

Figures (5)

• Figure 1: Comparison between traditional jailbreak pipelines and VERA. Traditional methods (e.g., chao2023jailbreakingyu2023gptfuzzerliu2024autodan) require per-prompt mutation, scoring, and iterative querying to generate a successful jailbreak, making them slow and brittle. In contrast, VERA samples diverse, high-quality adversarial prompts directly from a learned distribution at test time, enabling fast, parallelizable prompt generation without any additional optimization or search.
• Figure 2: Overview of VERA training process. Given a target behavior -- e.g how to build a bomb -- VERA first generates prompt samples through its attacker LLM. These samples are then used to compute the variational objective. Finally, the REINFORCE gradient estimator is applied to update the LoRA parameters of the attacker LLM.
• Figure 3: Key properties of VERA-generated adversarial prompts compared against GPTFuzzer and AutoDAN. (a) VERA produces more diverse prompts, as indicated by lower self-BLEU and BLEU scores. (b) With a fixed prompt budget, VERA achieves comparable success rates in significantly less time. (c) With a fixed time budget, VERA generates more successful attacks, substantially outperforming template-based methods.
• Figure 4: Prompt used to condition the attacker LLM. This prompt instructs the attacker to generate an input that, when submitted to the target LLM, elicits a specific harmful behavior.
• Figure 5: Representative adversarial prompts generated by VERA that successfully elicit harmful responses across a range of behaviors. These prompts are fluent, diverse, and aligned with the attack target.